Working with user authentication

Derby provides
support for user authentication. User authentication means that Derby authenticates the name
and password for a user before allowing that user access to the system.

When user authentication is enabled (which it is not by default), the user
requesting a connection must provide a valid name and password, which Derby verifies against the
repository of users defined for the system. After Derby authenticates
the user, it grants the user access to the Derby system
but not necessarily access to the database made in the connection request.
In the Derby system, access
to a database is determined by user
authorization.

For user authentication, Derby allows
you to provide a repository of users in a number of different ways. For example,
you can hook Derby up to
an external directory service elsewhere in your enterprise, create your own
directory service, or use Derby's
simple mechanism for creating a built-in repository of users.

You can define a repository of users for a particular database or for an
entire system, depending on whether you use system-wide or database-wide properties.

When Derby user authentication
is enabled and Derby uses
an external directory service, the architecture looks something like that
shown in the Figure below:

Figure 1. Derby user
authentication using an external service. The application can be a single-user
application with an embedded Derby engine
or a multi-user application server.

Derby always runs embedded
in another Java application, whether that application is a single-user application
or a multiple-user application server or connectivity framework. A database
can be accessed by only one JVM at a time, so it is possible to deploy a system
in which the application in which Derby is
embedded, not Derby, handles
the user authentication by connecting to an external directory service.

Figure 2. The application provides the user authentication
using an external service. The application can be a single-user application
with an embedded Derby engine
or a multi-user application server.

Enabling user authentication
To enable user authentication, set the derby.connection.requireAuthentication property to true. Otherwise, Derby does not require a user name and password. You can set this property as a system-wide property or as a database-wide property.

Defining users
Derby provides several ways to define the repository of users and passwords. To specify which of these services to use with your Derby system, set the property derby.authentication.provider to the appropriate value as discussed here.

External directory service
A directory service stores names and attributes of those names. A typical use for a directory service is to store user names and passwords for a computer system. Derby uses the Java naming and directory interface (JNDI) to interact with external directory services that can provide authentication of users' names and passwords.